Posts Tagged ‘Two Factor Authentication’

Phoning Home to China

October 25, 2011 4 comments

A couple of weeks ago, during the RSA Conference in London, Tom Heiser, president of RSA declared that two separate hacker groups already known to authorities were behind the serious breach affecting tbe Security Firm early this year in March, and were likely working at the behest of a government. Heiser also declared that the attackers possessed inside information about the company’s computer naming conventions that helped their activity blend in with legitimate users on the network, concluding that, due to the sophistication of the breach:

“we can only conclude it was a nation-state-sponsored attack.”

In a statement issued after the breach, the Security Firm declared that some information related to their two-factor authentication technology SecurID had been extracted during the attack, and that information could be used, as part of a broader attack, to decrease the effectiveness of the two-factor authentication.

Curiously RSA refused to name the involved nation, so not confirming the suspects directed to China. Regardless of the nation, among Security Professional it was immediately clear that the true target of the attack was not RSA but its customers: SecurID tokens are used by 40 million people in at least 30,000 organizations worldwide to allow secure access to IT systems. So it was not a surprise the fact that few weeks after the breach three Defense Contractor were attacked using compromised seeds, and although in two cases (L-3 Communications and Northrop Grumman) there was no direct evidence of a direct involvement of compromised tokens but only rumors, in one case (Lockheed Martin), RSA admitted the use of compromised tokens and offered to replace the tokens to affected customers.

Today another interesting piece of the puzzle: in his blog Brian Kerbs publishes a list of companies whose networks were shown to have been phoning home (i.e. connect to the C&C Server) to some of the same control infrastructure that was used in the attack on RSA. The first victims appear to have begun communicating with the attacker’s control networks as early as November 2010. According to the list 760 other organizations had networks compromised with some of the same resources used to hit RSA and almost 20 percent of the current Fortune 100 companies are on this list.

Scroll down the names on the list and you will find many interesting and surprising firms, even if the author correctly advises that:

  • Many of the network owners listed are Internet service providers, and are likely included because some of their subscribers were hit;
  • It is not clear how many systems in each of these companies or networks were compromised, for how long those intrusions persisted, or whether the attackers successfully stole sensitive information from all of the victims;
  • Some of the affected organizations (there are also several antivirus firms mentioned) may be represented because they  intentionally compromised internal systems in an effort to reverse engineer malware used in these attacks.

So at the end, what’s the matter with China? Simple, at the bottom of the article there is a chart reporting the location of more than 300 command and control networks that were used in these attacks. Guess where 299 of them were located…

(Thanks to @MasafumiNegishi for reporting the original blog post).

Finally I Saw One!

August 26, 2011 1 comment

Update: F-Secure posted in their blog the complete description on how the patient 0 was found: And here it is the infamous “2011 recruitment plan message”.

Have a look to the fake sender: a message from beyond…

Original Post follows:

I am working hard for the August 2011 Cyber Attacks Timeline (stay tuned it is almost ready! Meanwhile you may check the previous ones) while I stumbled upon this very interesting article. Yes, I may say that finally I saw one of the Emails used for spear phishing attacks against RSA customers, using compromised seeds.

As you will probably know everything started on March 17, 2011, when RSA admitted to have been targeted by a sophisticated attack which led to certain information specifically related to RSA’s SecurID two-factor authentication products being subtracted from RSA’s systems.

Of course the sole seed and serial number of the token (the alleged information subtracted) is not enough to carry on a successful attack, so the attacker (whose possible target were presumably RSA customers) had to find a way to get the missing pieces of the puzzle, that is the username and the PIN. And which is the best way? Of course Spear Phishing!

And here the example of a fake spear phishing E-mail targeting one of the One of America’s Most Secret (and Important) Agencies and in the same Time RSA customers:

Likely the same attack vector was utilized against three Contractors (RSA Customers) which were targeted by attacks based on compromised SecurID seeds between April and May (Lockheed Martin, L-3, and Northrop Grumman). What a terrible year for Contractors and DHS related agencies!

By chance today F-Secure revealed to have discovered the patient zero, that is the mail (“2011 Recruitment Plan”) used to convey the APT inside RSA. Someone (who decided to follow the best practices for anomalous e-mails) submitted it to Virus Total, a cloud based service for scanning files, and it looks like that F-Secure antimalware analyst Timo Hirvonen discovered the e-mail message  buried in the millions of submissions stored in this crowd-sourced database of malicious or potentially malicious files.

Original Source of Spear Phishing E-mail:, Kudos to @yo9fah for reporting me the link.

It was only a matter of time…

May 26, 2011 13 comments

05/27 Update: Several Sources report that the “large U. S. Defense contractor” hit by the alleged compromised seeds attack could be Lockheed Martin.

It was only a matter of time… And not only of the time necessary to synchronize the RSA Algorithm…

A bolt from the blue! Source report some details of the alleged first attack to a very large U. S. Defense contractor perpetrated by mean of compromised RSA seeds.

Late on Sunday all remote access to the internal corporate network was disabled. All workers were told was that it would be down for at least a week. Folks who regularly telecommute were asked to come into nearby offices to work. Then earlier today (Wednesday) came word that everybody with RSA SecureID tokens would be getting new tokens over the next several weeks. Also, everybody on the network (over 100,000 people) would be asked to reset their passwords, which means admin files have probably been compromised.

It seems likely that whoever hacked the RSA network got the algorithm for the current tokens and then managed to get a key-logger installed on one or more computers used to access the intranet at this company. With those two pieces of information they were then able to get access to the internal network.

Fortunately the contractor was able to detect the breach and to manage it, avoiding worst consequences.

But many questions remain unsolved: was this the first attempt? Were all the seeds compromised during the famous breach? For Sure it will not be the last and my sixth sense and one half thinks we will have to get used to this kinds of attacks.

As I told in previous post I am more and more convinced that the final target of the attack was not RSA…

Strong Authentication: Back To The Future

The month of March will go into the annals of Information security. First the breach of RSA, then the issue of fake Comodo Certificates (with the subsequent claim by the Iranian Comodo Hacker) have gradually brought down the (few) certainties the Strong Authentication technologies relied on.

While commenting the beginning of this new era made of very few certainties for our digital identity, I could not help thinking about the (apparently) downward trend to which I was getting used with regards to the strong authentication mechanism adopted for my home banking (be quiet I do not currently have any RSA SecurID tokens, fortunately). Hindsight it could be interpreted as a strange omen (I would suggest RSA to follow the same path).

My first E-Banking contract dates back to 2005, and it was signed with a Regional Italian Bank. In that year, for perfoming operations such as money transfer, I was given a digital certificate stored in a floppy disk (in 2005 sigh!) for electronically signing every transaction. At that time I was firmly convinced that Digital Certificates were the most secure method to strong authenticate transactions, but I never used that certificate since, back in far 2005, a floppy disk was already a thing of the past.

A couple of years later the same bank made a Copernican (r)evolution and decided to dismiss all the certificates in exchange of OTP tokens (not manufactured by RSA but from competitor). Despite some scattered small issues due to a poor IT governance (in a couple of circumstances there was no way to make the PIN to be recognized  and I also was victim of a data loss related to the electronic transactions of the previous four months (of course rigorously without backup, even if the operations had effectively been made), I was quite satisfied with the tokens (but not with the bank). Of course needless to say that these kinds of incidents always happened when I desperately needed to complete the transaction.

Five months ago I changed my bank (looking for better conditions) and decided to open a brand new completely on-line account. Well! Guess what kind of device I was given to authenticate the transactions? After a digital certificate and a token, I would have expected at least a PKCS#11 OTP USB Key… Not at all, I was given instead an efficient (but not very elegant or technological) card with a numerical grid composed by 24 triplets. Nowadays for each operation I am asked to insert three numbers each of them belonging to a different triplet randomically chosen between the 24 printed in one face of the card.

Of course even the most fervid imagination could not imagine that the parable of the strong authentication methods for my bank accounts during these years, could be interpreted as a premonition. Actually banks always know more than the devil, especially when it comes to other people’s money, but I must confess, that, although my initial disappointment for the progressive weakening of the authenticated mechanism necessary to sign transactions, in the last month I changed my mind and now I feel more comfortable with a card having impressed a kind of Caesar Cipher (yes I know that is just not the same thing but the comparison is appealing: back to the future!) than with an OTP Token or a certificate.

I was almost thinking of trying the strong authentication via SMS, but just today I realized that it is not particularly advisable, most of all on the iPhone, where the 2FA (Two Factor Authentication) mechanism has just been compromised. Ok I have an Android terminal but maybe is better not to use any mobile terminals, the threats like Zitmo (Zeus in The Mobile), are always around the corner.

Violati i Server RSA

Stamattina mi sono svegliato con una di quelle notizie la cui eco rimbomberà per un bel pezzo nell’arena Infosec. Il blog di Sophos riporta difatti che la nota azienda di sicurezza RSA, specializzata in sistemi di autenticazione forte (in pratica da lei inventati) è stata vittima di un attacco informatico che ha portato alla sottrazione di alcune importanti informazioni.

La notizia è stata comunicata da RSA stessa mediante uno stringato comunicato sul proprio sito. Sebbene l’Azienda sia riuscita a rilevare l’attacco e abbia da subito rafforzato le misure di sicurezza, purtroppo non ha potuto impedire la sottrazione di preziose informazioni dai propri server tra cui alcune relative al sistema di autenticazione forte OTP a due fattori, RSA Secure-ID, che da anni costituisce la soluzione ammiraglia della Casa (che di fatto ha inventato l’omonimo algoritmo di crittografia asimmetrica). Chi di noi non ha mai utilizzato almeno una volta il piccolo quadrante con i numerini magici che cambiano ogni 10 secondi?

I dettagli dell’attacco non sono noti: RSA ha dichiarato di essere stata vittima di un extremely sophisticated cyber attack, ma sembra che alla base ci sia comunque un Advanced Persistent Threat, un attacco quindi estremamente sofisticato, portato su molti livelli e, probabilmente, avente l’utente come punto di ingresso (a questo link una ottima definizione della tipologia di attacco).

Come accennato in precedenza, il lato peggiore della vicenda risiede nel fatto che sembra siano state rubate anche alcune informazioni relative alla soluzione di autenticazione a due fattori. Allo stato attuale non ci sono notizie di possibili attacchi ai danni dei clienti (RSA produce la maggioranza dei token OTP presenti sul mercato utilizzati per gli usi più variegati: dalle transazioni bancarie all’accesso remoto di operatori), tuttavia:

this information could potentially be used to reduce the effectiveness of a current two-factor authentication implementation as part of a broader attack.

Ovvero i dati sottratti potrebbero essere utilizzati per mitigare l’efficacia dell’attuale sistema di autenticazione a due fattori all’interno di un attacco di più ampio respiro.

RSA fornirà presto ai propri clienti alcune raccomandazioni per rendere più sicura la propria infrastruttura di autenticazione a due fattori, nel frattempo, in collaborazione con la U.S. Securities and Exchange Commission ha pubblicato le seguenti raccomandazioni:

  • Aumentare il livello di sicurezza relativamente alle applicazioni di social media e all’utilizzo delle stesse (e di eventuali altri siti web) a chiunque abbia accesso a porzioni di reti critiche;
  • Utilizzare password complesse, corredate da PIN;
  • Utilizzare la regola del least privilege nell’assegnare ruoli e responsabilità agli amministratori di sicurezza (qualsiasi amministratore deve accedere al livello minimo di informazione indispensabile per effettuare la propria attività);
  • Educare gli utenti all’importanza di evitare mail sospette e ricordare loro di non fornire nomi utente o altre credenziali a nessuno senza averne prima verificato identità e autorità. Non fornire mai credenziali in seguito a richieste effettuate tramite mail o telefono e denunciare subito questi comportamenti;
  • Porre attenzione alla protezione dei repository Active Directory, utilizzando tecnologie SIEM (Security Information & Event Management) e autenticazione a due fattori per l’accesso agli stessi repository;
  • Monitorare attentamente i cambiamenti dei privilegi utente e relativi diritti di accesso utilizzando tecnologie di monitoraggio (ad esempio il già citato SIEM) e considerando l’aggiunta di livelli di approvazione manuale per questi cambiamenti;
  • Effettuare l’hardening, il monitoraggio attivo, e contestualmente limitare l’accesso fisico alle infrastrutture che ospitano informazioni critiche;
  • Esaminare le procedure dell’help desk alla ricerca di eventuali brecce di informazioni che possano implicitamente aiutare un attaccante ad effettuare un attacco di tipo social engineering;
  • Aggiornare sempre tutta l’infrastruttura di sicurezza ed i sistemi operativi con le ultime patch di sicurezza.

Ancora una volta nel corso del 2011 l’equazione APT=furto di informazioni si rivela tristemente vincente ed efficace. Non sono ancora trapelati dettagli sull’attacco ma, dall’analisi delle raccomandazioni fornite, si delineano alcuni tratti comuni: la “compromissione” dell’utente come punto di ingresso per la compromissione dell’infrastruttura. D’altronde se si analizzano le raccomandazioni fornite e le si confrontano con la morfologia dell’attacco Night Dragon, non trovate che siano perfettamente coincidenti con le vulnerabilità umane e tecnologiche sfruttate in quel contesto?


Get every new post delivered to your Inbox.

Join 3,788 other followers